Total
291487 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-45873 | 1 Couchbase | 1 Couchbase Server | 2025-04-23 | N/A | 6.5 MEDIUM |
| An issue was discovered in Couchbase Server through 7.2.2. A data reader may cause a denial of service (application exist) because of the OOM killer. | |||||
| CVE-2024-10680 | 1 10web | 1 Form Maker | 2025-04-23 | N/A | 4.8 MEDIUM |
| The Form Maker by 10Web WordPress plugin before 1.15.32 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2024-25082 | 3 Debian, Fedoraproject, Fontforge | 3 Debian Linux, Fedora, Fontforge | 2025-04-23 | N/A | 6.5 MEDIUM |
| Splinefont in FontForge through 20230101 allows command injection via crafted archives or compressed files. | |||||
| CVE-2024-25081 | 3 Debian, Fedoraproject, Fontforge | 3 Debian Linux, Fedora, Fontforge | 2025-04-23 | N/A | 4.2 MEDIUM |
| Splinefont in FontForge through 20230101 allows command injection via crafted filenames. | |||||
| CVE-2025-3676 | 1 Xxyopen | 1 Novel-plus | 2025-04-23 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability classified as critical has been found in xxyopen Novel-Plus 3.5.0. This affects an unknown part of the file /api/front/search/books. The manipulation of the argument sort leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-45429 | 2025-04-23 | N/A | 9.8 CRITICAL | ||
| In the Tenda ac9 v1.0 router with firmware V15.03.05.14_multi, there is a stack overflow vulnerability in /goform/WifiWpsStart, which may lead to remote arbitrary code execution. | |||||
| CVE-2025-45428 | 2025-04-23 | N/A | 9.8 CRITICAL | ||
| In Tenda ac9 v1.0 with firmware V15.03.05.14_multi, the rebootTime parameter of /goform/SetSysAutoRebbotCfg has a stack overflow vulnerability, which can lead to remote arbitrary code execution. | |||||
| CVE-2025-45427 | 2025-04-23 | N/A | 9.8 CRITICAL | ||
| In Tenda AC9 v1.0 with firmware V15.03.05.14_multi, the security parameter of /goform/WifiBasicSet has a stack overflow vulnerability, which can lead to remote arbitrary code execution. | |||||
| CVE-2025-32969 | 2025-04-23 | N/A | N/A | ||
| XWiki is a generic wiki platform. In versions starting from 1.8 and prior to 15.10.16, 16.4.6, and 16.10.1, it is possible for a remote unauthenticated user to escape from the HQL execution context and perform a blind SQL injection to execute arbitrary SQL statements on the database backend, including when "Prevent unregistered users from viewing pages, regardless of the page rights" and "Prevent unregistered users from editing pages, regardless of the page rights" options are enabled. Depending on the used database backend, the attacker may be able to not only obtain confidential information such as password hashes from the database, but also execute UPDATE/INSERT/DELETE queries. This issue has been patched in versions 16.10.1, 16.4.6 and 15.10.16. There is no known workaround, other than upgrading XWiki. | |||||
| CVE-2025-32968 | 2025-04-23 | N/A | N/A | ||
| XWiki is a generic wiki platform. In versions starting from 1.6-milestone-1 to before 15.10.16, 16.4.6, and 16.10.1, it is possible for a user with SCRIPT right to escape from the HQL execution context and perform a blind SQL injection to execute arbitrary SQL statements on the database backend. Depending on the used database backend, the attacker may be able to not only obtain confidential information such as password hashes from the database, but also execute UPDATE/INSERT/DELETE queries. This issue has been patched in versions 16.10.1, 16.4.6 and 15.10.16. There is no known workaround, other than upgrading XWiki. The protection added to this REST API is the same as the one used to validate complete select queries, making it more consistent. However, while the script API always had this protection for complete queries, it's important to note that it's a very strict protection and some valid, but complex, queries might suddenly require the author to have programming right. | |||||
| CVE-2025-32966 | 2025-04-23 | N/A | N/A | ||
| DataEase is an open-source BI tool alternative to Tableau. Prior to version 2.10.8, authenticated users can complete RCE through the backend JDBC link. This issue has been patched in version 2.10.8. | |||||
| CVE-2025-29953 | 2025-04-23 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in Apache ActiveMQ NMS OpenWire Client. This issue affects Apache ActiveMQ NMS OpenWire Client before 2.1.1 when performing connections to untrusted servers. Such servers could abuse the unbounded deserialization in the client to provide malicious responses that may eventually cause arbitrary code execution on the client. Version 2.1.0 introduced a allow/denylist feature to restrict deserialization, but this feature could be bypassed. The .NET team has deprecated the built-in .NET binary serialization feature starting with .NET 9 and suggests migrating away from binary serialization. The project is considering to follow suit and drop this part of the NMS API altogether. Users are recommended to upgrade to version 2.1.1, which fixes the issue. We also recommend to migrate away from relying on .NET binary serialization as a hardening method for the future. | |||||
| CVE-2025-28037 | 2025-04-23 | N/A | 9.8 CRITICAL | ||
| TOTOLINK A810R V4.1.2cu.5182_B20201026 and A950RG V4.1.2cu.5161_B20200903 were found to contain a pre-auth remote command execution vulnerability in the setDiagnosisCfg function through the ipDomain parameter. | |||||
| CVE-2025-27676 | 1 Printerlogic | 2 Vasion Print, Virtual Appliance | 2025-04-23 | N/A | 6.1 MEDIUM |
| Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.843 Application 20.0.1923 allows Cross-Site Scripting in Reports V-2023-002. | |||||
| CVE-2025-27654 | 1 Printerlogic | 2 Vasion Print, Virtual Appliance | 2025-04-23 | N/A | 6.1 MEDIUM |
| Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.862 Application 20.0.2014 allows Cross Site Scripting (XSS) V-2023-017. | |||||
| CVE-2025-27653 | 1 Printerlogic | 2 Vasion Print, Virtual Appliance | 2025-04-23 | N/A | 6.1 MEDIUM |
| Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.862 Application 20.0.2014 allows Preauthenticated Cross Site Scripting (XSS): Badge Registration V-2023-012. | |||||
| CVE-2025-27637 | 1 Printerlogic | 2 Vasion Print, Virtual Appliance | 2025-04-23 | N/A | 6.1 MEDIUM |
| Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.1002 Application 20.0.2614 allows Cross-Site Scripting V-2024-016. | |||||
| CVE-2025-26269 | 2025-04-23 | N/A | 3.3 LOW | ||
| DragonflyDB Dragonfly through 1.28.2 (fixed in 1.29.0) allows authenticated users to cause a denial of service (daemon crash) via a Lua library command that references a large negative integer. | |||||
| CVE-2025-25953 | 2025-04-23 | N/A | 6.5 MEDIUM | ||
| Serosoft Solutions Pvt Ltd Academia Student Information System (SIS) EagleR v1.0.118 was discovered to contain an Azure JWT access token exposure. This vulnerability allows authenticated attackers to escalate privileges and access sensitive information. | |||||
| CVE-2025-21605 | 2025-04-23 | N/A | 7.5 HIGH | ||
| Redis is an open source, in-memory database that persists on disk. In versions starting at 2.6 and prior to 7.4.3, An unauthenticated client can cause unlimited growth of output buffers, until the server runs out of memory or is killed. By default, the Redis configuration does not limit the output buffer of normal clients (see client-output-buffer-limit). Therefore, the output buffer can grow unlimitedly over time. As a result, the service is exhausted and the memory is unavailable. When password authentication is enabled on the Redis server, but no password is provided, the client can still cause the output buffer to grow from "NOAUTH" responses until the system will run out of memory. This issue has been patched in version 7.4.3. An additional workaround to mitigate this problem without patching the redis-server executable is to block access to prevent unauthenticated users from connecting to Redis. This can be done in different ways. Either using network access control tools like firewalls, iptables, security groups, etc, or enabling TLS and requiring users to authenticate using client side certificates. | |||||